Early database systems utilized large centralized computers to store data and terminal devices physically connected to the centralized computer to provide user access to the data. In these early systems, the database management system had all the knowledge necessary to place constraints on data access. The entities defined in the database management system (i.e., users, tables, columns, rows, functions) could be used by the database management system to restrict or allow access to data and operations by users.
More recently, most database systems have been implemented in networked environments in which users can access a database from a variety of heterogeneous clients. The security model used by many current database systems, however, extends from the security model developed in early database systems. In such systems, describing the constraints on access and usage of data to meet security requirements is done in terms of entities internal to the database itself and these descriptions are maintained/interpreted by the database itself. In other words, security policies to perform operations on data in the database are defined based on entities defined internally in the database itself.
Current database security schemes are insufficient because of the complexity inherent in a networked environment, which grows non-linearly with the number of components in the networked environment. As an example, a user may attempt to access data in a corporate database from an office computer and a home computer via a virtual private network (“VPN”). If the database has entities for users, but not for network attributes (say IP address of a request), the database management system will only be able to restrict access to the data based on the user, not the location from which the user is attempting to access the data. In order to restrict access based on a request generated by a local LAN versus over a VPN, new entities would have to be created in the database to implement the security constraint. Under this model, effective management of security would require predicting which entities are necessary in the database to apply security constraints. However, as individual components on the network are arbitrarily used, the behavior of the aggregate system is changed in ways that are impossible to predict from a practical standpoint. Consequently, a security model that relies solely on entities known to the database management system is insufficient for robust security in a networked environment.
Another obstacle in enforcing database policies in a networked environment involves performance-sensitive computations. To allow for more flexible configuration and operation, many computer-based database appliances are adding policy-based controls to allow their administrators to define appropriate constraints on operations. For appliances that are monitoring and/or securing performance-sensitive data flows, the number of comparisons between input data and policy criteria has a significant impact on the performance and domain of applicability of the solution.
Traditional hardware-based optimizations to improve throughput involved committing significant hardware resources to the problem (parallel processing systems, etc.) or using hardware components such as FPGAs that are dedicated to processing this type of traffic. Software optimizations, on the other hand, typically revolve around compiler optimizations that improve the straight-line performance of code by cleverly arranging loops or tree-based comparison algorithms that allow the coder to divide the problem into more manageable sizes.